Practical IT: What you need to know about email encryption

7 Deadly IT Sins - Unencrypted emailIt’s surprising how many people aren’t aware how insecure email is.

They are of course aware of spam for the annoyance it causes.

Many also have a horror story about sending an email to the wrong person (or when they didn’t check who was copied on an email when they hit “Reply All”), but they don’t consider how the same underlying issues could affect their privacy.

When email was invented over 40 years ago, no one thought about how to ensure the integrity of messages. As a result, it’s very easy for someone to use deception to spoof an email, but it’s very hard to verify that it’s from who it says it’s from.

Likewise because email traverses the internet in plaintext, there is no confidentiality – the content of an email is no more private than what you write on a postcard.

Even instant messaging apps like WhatsApp and Facebook Messenger are more secure than email.

But for all their concerns about privacy, most people don’t know that their email messages are open to be read by anyone.

Encryption can solve these problems, but the technology for doing so is challenging for users who like to click and forget it.

Encryption doesn’t just happen magically. It requires a little bit of effort.

There are three different options for encryption we’ll talk about here, along with the good and the bad about each of these solutions.

A big part of security necessarily involves training users, so make sure you keep them in mind when you consider the options.

1. PGP and S/MIME

PGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions) are commonly used standards for encrypting and signing email.

While PGP is fairly easy to set up, it’s not very user friendly and it doesn’t integrate well with corporate email apps like Outlook.

S/MIME is more enterprise friendly and can be easier to use once its set up. But for it to work well, every single user needs a publicly-verifiable certificate, which could end up costing a lot of money.

The difficulty with these technologies is that both sender and recipient need to support it to exchange public keys in order to encrypt and decrypt messages securely.

In the case of S/MIME you’ll only get the full benefits if the guy on the other end has also bought a certificate.

2. File encryption

A solution for when you need to transfer a bunch of files securely is to simply send sensitive files in an encrypted archive, rather than encrypt the email.

Archive encryption generally uses symmetric not asymmetric encryption, so you have to share a password with the other person somehow.

A good option is to phone the recipient, or say the password to them in person, if that’s possible. Because you’re relying on a shared password, it needs to be very strong so it’s not crackable.

When sending encrypted zip files, you need to make sure you’re using modern versions, because previous versions of the zip format had very weak encryption.

Annoyingly, neither Windows nor Mac support newer AES secure versions, so you need to use a third party tool like 7-Zip.

3. SPX encryption

The third option is called SPX (Secure PDF eXchange), which is Sophos’s email encryption technology (and obviously only available for Sophos users, so ignore this option if you’re not a customer of Sophos!).

When a user receives an SPX encrypted message, they simply open the PDF and enter their password to view attachments.

If I send you an SPX email, you get an invite to register on portal, where you choose a password. Then, every subsequent email will come as a password-protected PDF. You only need to go to a website to reply. The drawback is that you don’t have a record of your replies in your email inbox.

SPX is easy to set up, and it’s also very easy on users because the email recipient needs nothing more than the ability to open a PDF. There’s no need to share passwords. And no client software installation is required.

Getting email security right

There are more secure options than email for collaboration, such as dedicated tools that send communications over HTTPS, but that’s not always practical. You also have to trust the collaboration tool to securely handle your data!

Despite its lack of security, we keep using email because it’s become so ingrained in the way we do business, and it’s not going to be replaced any time soon.

To get email security right, you should think about all the ways email can be misused and abused.

Spam filtering is absolutely essential, not just to save wasted time from spam, but to protect against phishing.

Email clients need to be well patched, because an email client is rendering untrusted content from the internet, which carries the risk of running malware just by opening an email.

And you need data loss prevention (DLP) technology to stop people from sending data they shouldn’t be sending, based on your regional laws and compliance rules.

Email and the 7 Deadly IT Sins

Unencrypted email is one of Sophos’s 7 Deadly IT Sins. You can read more about that and the 6 other sins on our website here.